Updating logged in state when user tries to log in from different browser/system

[tonmoy71]

Background

In Facebook and similar websites, when a user is logged in several tabs and he/she logs out from one tab, all other tabs get notified that the user has been logged out and prompts a login dialog.

In taskcat, whether a user is logged in or not is understood by json token. Say user X is logged in in pc1. Now if he login from another pc2, a new json token will be retrieved on behalf of him and the token saved in pc1 will be expired. So all the authorized calls from pc1 will get a 401 error.

The json tokens expired automatically after a certain time, in that case too, the token saved in his browser's local storage will not be applicable in the authorized api call.

Observed Problem

In the above-mentioned scenario, WebCat does not let the user log in and does not show any alert/prompt to log in again. It shows the following error as the access token gets invalid and the user becomes unauthorized.

Also, if a user manually logout and log in again, the api calls keep using the old saved token. If a manual browser refresh triggered, only then the api calls retrieved the latest token from the browser and are able to call the authorized api.

Problem found in http://gofetch.cloudapp.net:8000/#/home

[thehoneymad]

I think this is supposed to be fixed in #71

[thehoneymad]

Okay, now I understand. Yes, thats an horizontal session scaling issue. Hold on

[thehoneymad]

Do these here as I need to know how claims are working here.

1. get token for an user
2. access an authorized endpoint
3. get token again for the same user
4. use the old token to get the same resource

[tareq89]

@thehoneymad , I have followed the 4 steps described by you. Yes the old token can get the same resource.

[thehoneymad]

It is supposed to, thats how claims work. Its definitely a refresh token issue. Please rename the issue accordingly.